Posted
by
Soulskillon Friday July 09, 2010 @03:35PM
from the penguins-with-guns dept.

Trailrunner7 writes "A security expert has released a stripped-down Ubuntu distribution designed specifically for reverse-engineering malware. The OS, called REMnux, includes a slew of popular malware-analysis, network monitoring and memory forensics tools that comprise a very powerful environment for taking apart malicious code. REMnux is the creation of Lenny Zeltser, an expert on malware reverse engineering who teaches a popular course on the topic at SANS conferences. He put the operating system together after years of having students ask him which tools to use and what works best. He originally used Red Hat Linux, but recently decided that Ubuntu was a better fit. REMnux has three separate tools for analyzing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analyzing malicious PDFs, including Didier Stevens' analysis tools. REMnux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder."

Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

While some malware detects VMs and some fails to run in VMs, not much that I've seen detects VMs then behaves significantly differently or intentionally refuses to run. The Conficker family, for example, detects VMs, then reports on connection to the control channel that it is a VM in addition to the other system info.

As to working around this problem, the way I've seen it done is expensive hardware designed for the purpose, that lets you analyze what is happening from a "watcher" machine and revert the machine once you are done. This was being used in a network security company to analyze the behavior of worms.

Yep. Backtrack seems better than an Ubuntu, for a pentesting suite, I think.

I like Ubuntu, and I've installed it at the house, because the wife likes it too. But, for pentesting and analysis, you just don't need, or even want, all the pretties and the extra libraries and apps that Ubuntu lugs around as baggage.

Backtrack doesn't have EVERYTHING a guy might want for every purpose - or it didn't the last time I looked - but you can easily install anything that you need.